diff --git a/docs/usage/configuration-options.md b/docs/usage/configuration-options.md
index e76873af8a49d08ce40d0aa93d9847c474a9140c..b46fa39ce8affc4f9a8f0c57c5b95e3621a8d441 100644
--- a/docs/usage/configuration-options.md
+++ b/docs/usage/configuration-options.md
@@ -3374,7 +3374,7 @@ Table with options:
Post-upgrade tasks are commands that are executed by Renovate after a dependency has been updated but before the commit is created.
The intention is to run any other command line tools that would modify existing files or generate new files when a dependency changes.
-Each command must match at least one of the patterns defined in `allowedPostUpgradeCommands` (a global-only configuration option) in order to be executed.
+Each command must match at least one of the patterns defined in `allowedCommands` (a global-only configuration option) in order to be executed.
If the list of allowed tasks is empty then no tasks will be executed.
e.g.
@@ -3395,7 +3395,7 @@ The `postUpgradeTasks` configuration consists of three fields:
A list of commands that are executed after Renovate has updated a dependency but before the commit is made.
-You can use variable templating in your commands as long as [`allowPostUpgradeCommandTemplating`](./self-hosted-configuration.md#allowpostupgradecommandtemplating) is enabled.
+You can use variable templating in your commands as long as [`allowCommandTemplating`](./self-hosted-configuration.md#allowcommandtemplating) is enabled.
<!-- prettier-ignore -->
!!! note
diff --git a/docs/usage/self-hosted-configuration.md b/docs/usage/self-hosted-configuration.md
index 92c196249329749834d3b6dda077ae9a65366619..2f0f680b5f6a04612a0d927eda1cfe4b6b5abc99 100644
--- a/docs/usage/self-hosted-configuration.md
+++ b/docs/usage/self-hosted-configuration.md
@@ -17,17 +17,13 @@ Please also see [Self-Hosted Experimental Options](./self-hosted-experimental.md
!!! note
Config options with `type=string` are always non-mergeable, so `mergeable=false`.
-## allowCustomCrateRegistries
-
-## allowPlugins
-
-## allowPostUpgradeCommandTemplating
+## allowCommandTemplating
Let's look at an example of configuring packages with existing Angular migrations.
```javascript
module.exports = {
- allowedPostUpgradeCommands: ['^npm ci --ignore-scripts$', '^npx ng update'],
+ allowedCommands: ['^npm ci --ignore-scripts$', '^npx ng update'],
};
```
@@ -58,11 +54,32 @@ npm ci --ignore-scripts
npx ng update @angular/core --from=10.0.0 --to=11.0.0 --migrate-only --allow-dirty --force
```
-If you wish to disable templating because of any security or performance concern, you may set `allowPostUpgradeCommandTemplating` to `false`.
-But before you disable templating completely, try the `allowedPostUpgradeCommands` config option to limit what commands are allowed to run.
+If you wish to disable templating because of any security or performance concern, you may set `allowCommandTemplating` to `false`.
+But before you disable templating completely, try the `allowedCommands` config option to limit what commands are allowed to run.
+
+This configuration option was previously named `allowPostUpgradeCommandTemplating`.
+
+## allowCustomCrateRegistries
+
+## allowPlugins
## allowScripts
+## allowedCommands
+
+A list of regular expressions that decide which commands in `postUpgradeTasks` are allowed to run.
+If this list is empty then no tasks will be executed.
+
+For example:
+
+```json
+{
+ "allowedCommands": ["^tslint --fix$", "^tslint --[a-z]+$"]
+}
+```
+
+This configuration option was formerly known as `allowedPostUpgradeCommands`.
+
## allowedEnv
Bot administrators can allow users to configure custom environment variables within repo config.
@@ -129,19 +146,6 @@ module.exports = {
};
```
-## allowedPostUpgradeCommands
-
-A list of regular expressions that decide which commands in `postUpgradeTasks` are allowed to run.
-If this list is empty then no tasks will be executed.
-
-For example:
-
-```json
-{
- "allowedPostUpgradeCommands": ["^tslint --fix$", "^tslint --[a-z]+$"]
-}
-```
-
## autodiscover
When you enable `autodiscover`, by default, Renovate runs on _every_ repository that the bot account can access.
diff --git a/lib/config/global.ts b/lib/config/global.ts
index 295fb4f394e44c8d82bef104a3e12e9a3098adc2..928f1c17939d6dc1af5c52d77fdc55c9f60879b9 100644
--- a/lib/config/global.ts
+++ b/lib/config/global.ts
@@ -3,12 +3,12 @@ import type { RenovateConfig, RepoGlobalConfig } from './types';
export class GlobalConfig {
// TODO: once global config work is complete, add a test to make sure this list includes all options with globalOnly=true (#9603)
private static readonly OPTIONS: (keyof RepoGlobalConfig)[] = [
+ 'allowedCommands',
'allowedEnv',
+ 'allowCommandTemplating',
'allowCustomCrateRegistries',
'allowedHeaders',
- 'allowedPostUpgradeCommands',
'allowPlugins',
- 'allowPostUpgradeCommandTemplating',
'allowScripts',
'binarySource',
'cacheDir',
diff --git a/lib/config/migrations/migrations-service.ts b/lib/config/migrations/migrations-service.ts
index 66eacdb0d34fcbe6b2e76be4ffd684aa2d123260..2dfb84d5123fbe50ad7d37ea6edd5fa8476cde17 100644
--- a/lib/config/migrations/migrations-service.ts
+++ b/lib/config/migrations/migrations-service.ts
@@ -82,6 +82,8 @@ export class MigrationsService {
static readonly renamedProperties: ReadonlyMap<string, string> = new Map([
['adoptium-java', 'java-version'],
+ ['allowPostUpgradeCommandTemplating', 'allowCommandTemplating'],
+ ['allowedPostUpgradeCommands', 'allowedCommands'],
['azureAutoApprove', 'autoApprove'],
['customChangelogUrl', 'changelogUrl'],
['endpoints', 'hostRules'],
diff --git a/lib/config/options/index.ts b/lib/config/options/index.ts
index 1468e9c99393e42ffc16fe5c355218f2571f8249..c803e48b2482390bc5f0ee745a563d563dc706d9 100644
--- a/lib/config/options/index.ts
+++ b/lib/config/options/index.ts
@@ -108,7 +108,7 @@ const options: RenovateOptions[] = [
globalOnly: true,
},
{
- name: 'allowPostUpgradeCommandTemplating',
+ name: 'allowCommandTemplating',
description:
'Set this to `false` to disable template compilation for post-upgrade commands.',
type: 'boolean',
@@ -116,9 +116,9 @@ const options: RenovateOptions[] = [
globalOnly: true,
},
{
- name: 'allowedPostUpgradeCommands',
+ name: 'allowedCommands',
description:
- 'A list of regular expressions that decide which post-upgrade tasks are allowed.',
+ 'A list of regular expressions that decide which commands are allowed in post-upgrade tasks.',
type: 'array',
subType: 'string',
default: [],
diff --git a/lib/config/types.ts b/lib/config/types.ts
index 583069f0ec5c0211462b34d6fe8d23f0a8a81d96..d3c38f602112a3a9263bd7ada6a16498771b796e 100644
--- a/lib/config/types.ts
+++ b/lib/config/types.ts
@@ -132,13 +132,13 @@ export interface GlobalOnlyConfig {
// Config options used within the repository worker, but not user configurable
// The below should contain config options where globalOnly=true
export interface RepoGlobalConfig {
+ allowedCommands?: string[];
+ allowCommandTemplating?: boolean;
allowCustomCrateRegistries?: boolean;
allowPlugins?: boolean;
- allowPostUpgradeCommandTemplating?: boolean;
allowScripts?: boolean;
allowedEnv?: string[];
allowedHeaders?: string[];
- allowedPostUpgradeCommands?: string[];
binarySource?: 'docker' | 'global' | 'install' | 'hermit';
cacheDir?: string;
cacheHardTtlMinutes?: number;
diff --git a/lib/config/validation.spec.ts b/lib/config/validation.spec.ts
index 927650a07d732df7f340cd1c7f32369dcb9981e6..727100998c32eebefe303c0d329f6d7131848713 100644
--- a/lib/config/validation.spec.ts
+++ b/lib/config/validation.spec.ts
@@ -1764,7 +1764,7 @@ describe('config/validation', () => {
it('validates array type options', async () => {
const config = {
- allowedPostUpgradeCommands: ['cmd'],
+ allowedCommands: ['cmd'],
checkedBranches: 'invalid-type',
gitNoVerify: ['invalid'],
mergeConfidenceDatasources: [1],
diff --git a/lib/workers/global/config/parse/cli.ts b/lib/workers/global/config/parse/cli.ts
index 7830852e74e2aae2e49babe36e153a0cdde26147..33550e7fe84c45e77d84eeaef85f8592021650cc 100644
--- a/lib/workers/global/config/parse/cli.ts
+++ b/lib/workers/global/config/parse/cli.ts
@@ -20,6 +20,11 @@ export function getConfig(input: string[]): AllConfig {
const argv = input
.map((a) =>
a
+ .replace(
+ '--allow-post-upgrade-command-templating',
+ '--allow-command-templating',
+ )
+ .replace('--allowed-post-upgrade-commands', '--allowed-commands')
.replace('--endpoints=', '--host-rules=')
.replace('--expose-env=true', '--trust-level=high')
.replace('--expose-env', '--trust-level=high')
diff --git a/lib/workers/global/config/parse/env.ts b/lib/workers/global/config/parse/env.ts
index 79ed110d6b5be095a6332d3b96ddaf8736d30a7a..493d8969a09b2c582bc67b7e619e443604b46d1f 100644
--- a/lib/workers/global/config/parse/env.ts
+++ b/lib/workers/global/config/parse/env.ts
@@ -42,6 +42,8 @@ const renameKeys = {
gitLabAutomerge: 'platformAutomerge', // migrate: gitLabAutomerge
mergeConfidenceApiBaseUrl: 'mergeConfidenceEndpoint',
mergeConfidenceSupportedDatasources: 'mergeConfidenceDatasources',
+ allowPostUpgradeCommandTemplating: 'allowCommandTemplating',
+ allowedPostUpgradeCommands: 'allowedCommands',
};
function renameEnvKeys(env: NodeJS.ProcessEnv): NodeJS.ProcessEnv {
diff --git a/lib/workers/repository/update/branch/execute-post-upgrade-commands.spec.ts b/lib/workers/repository/update/branch/execute-post-upgrade-commands.spec.ts
index dd823de3abfa1b8a56b1419d309f1819edf6dd55..fc5210e2ac476565bb27ec04d0eece42984c82af 100644
--- a/lib/workers/repository/update/branch/execute-post-upgrade-commands.spec.ts
+++ b/lib/workers/repository/update/branch/execute-post-upgrade-commands.spec.ts
@@ -47,7 +47,7 @@ describe('workers/repository/update/branch/execute-post-upgrade-commands', () =>
);
GlobalConfig.set({
localDir: __dirname,
- allowedPostUpgradeCommands: ['some-command'],
+ allowedCommands: ['some-command'],
});
fs.localPathIsFile
.mockResolvedValueOnce(true)
@@ -97,7 +97,7 @@ describe('workers/repository/update/branch/execute-post-upgrade-commands', () =>
);
GlobalConfig.set({
localDir: __dirname,
- allowedPostUpgradeCommands: ['some-command'],
+ allowedCommands: ['some-command'],
});
fs.localPathIsFile
.mockResolvedValueOnce(true)
@@ -146,7 +146,7 @@ describe('workers/repository/update/branch/execute-post-upgrade-commands', () =>
);
GlobalConfig.set({
localDir: __dirname,
- allowedPostUpgradeCommands: ['some-command'],
+ allowedCommands: ['some-command'],
});
fs.localPathIsFile
.mockResolvedValueOnce(true)
diff --git a/lib/workers/repository/update/branch/execute-post-upgrade-commands.ts b/lib/workers/repository/update/branch/execute-post-upgrade-commands.ts
index b295198c37036a5b080cf41468a0320c67ffb388..d934ae424887a790cc65a471e903a3be3e363946 100644
--- a/lib/workers/repository/update/branch/execute-post-upgrade-commands.ts
+++ b/lib/workers/repository/update/branch/execute-post-upgrade-commands.ts
@@ -30,19 +30,15 @@ export async function postUpgradeCommandsExecutor(
): Promise<PostUpgradeCommandsExecutionResult> {
let updatedArtifacts = [...(config.updatedArtifacts ?? [])];
const artifactErrors = [...(config.artifactErrors ?? [])];
- const allowedPostUpgradeCommands = GlobalConfig.get(
- 'allowedPostUpgradeCommands',
- );
- const allowPostUpgradeCommandTemplating = GlobalConfig.get(
- 'allowPostUpgradeCommandTemplating',
- );
+ const allowedCommands = GlobalConfig.get('allowedCommands');
+ const allowCommandTemplating = GlobalConfig.get('allowCommandTemplating');
for (const upgrade of filteredUpgradeCommands) {
addMeta({ dep: upgrade.depName });
logger.trace(
{
tasks: upgrade.postUpgradeTasks,
- allowedCommands: allowedPostUpgradeCommands,
+ allowedCommands,
},
`Checking for post-upgrade tasks`,
);
@@ -65,13 +61,9 @@ export async function postUpgradeCommandsExecutor(
}
for (const cmd of commands) {
- if (
- allowedPostUpgradeCommands!.some((pattern) =>
- regEx(pattern).test(cmd),
- )
- ) {
+ if (allowedCommands!.some((pattern) => regEx(pattern).test(cmd))) {
try {
- const compiledCmd = allowPostUpgradeCommandTemplating
+ const compiledCmd = allowCommandTemplating
? compile(cmd, mergeChildConfig(config, upgrade))
: cmd;
@@ -94,14 +86,14 @@ export async function postUpgradeCommandsExecutor(
logger.warn(
{
cmd,
- allowedPostUpgradeCommands,
+ allowedCommands,
},
- 'Post-upgrade task did not match any on allowedPostUpgradeCommands list',
+ 'Post-upgrade task did not match any on allowedCommands list',
);
artifactErrors.push({
lockFile: upgrade.packageFile,
stderr: sanitize(
- `Post-upgrade command '${cmd}' has not been added to the allowed list in allowedPostUpgradeCommands`,
+ `Post-upgrade command '${cmd}' has not been added to the allowed list in allowedCommands`,
),
});
}
diff --git a/lib/workers/repository/update/branch/index.spec.ts b/lib/workers/repository/update/branch/index.spec.ts
index 174679d01823e929f244d3868e8ec75ea1cd57e0..feddb9d5c33c4c12015cfb795589963d287b5f47 100644
--- a/lib/workers/repository/update/branch/index.spec.ts
+++ b/lib/workers/repository/update/branch/index.spec.ts
@@ -1634,8 +1634,8 @@ describe('workers/repository/update/branch/index', () => {
GlobalConfig.set({
...adminConfig,
- allowedPostUpgradeCommands: ['^echo {{{versioning}}}$'],
- allowPostUpgradeCommandTemplating: true,
+ allowedCommands: ['^echo {{{versioning}}}$'],
+ allowCommandTemplating: true,
exposeAllEnv: true,
localDir: '/localDir',
});
@@ -1668,7 +1668,7 @@ describe('workers/repository/update/branch/index', () => {
commitSha: null,
});
const errorMessage = expect.stringContaining(
- "Post-upgrade command 'disallowed task' has not been added to the allowed list in allowedPostUpgradeCommand",
+ "Post-upgrade command 'disallowed task' has not been added to the allowed list in allowedCommands",
);
expect(platform.ensureComment).toHaveBeenCalledWith(
expect.objectContaining({
@@ -1732,8 +1732,8 @@ describe('workers/repository/update/branch/index', () => {
GlobalConfig.set({
...adminConfig,
- allowedPostUpgradeCommands: ['^exit 1$'],
- allowPostUpgradeCommandTemplating: true,
+ allowedCommands: ['^exit 1$'],
+ allowCommandTemplating: true,
exposeAllEnv: true,
localDir: '/localDir',
});
@@ -1817,8 +1817,8 @@ describe('workers/repository/update/branch/index', () => {
commit.commitFilesToBranch.mockResolvedValueOnce(null);
GlobalConfig.set({
...adminConfig,
- allowedPostUpgradeCommands: ['^echo {{{versioning}}}$'],
- allowPostUpgradeCommandTemplating: false,
+ allowedCommands: ['^echo {{{versioning}}}$'],
+ allowCommandTemplating: false,
exposeAllEnv: true,
localDir: '/localDir',
});
@@ -1919,8 +1919,8 @@ describe('workers/repository/update/branch/index', () => {
GlobalConfig.set({
...adminConfig,
- allowedPostUpgradeCommands: ['^echo {{{depName}}}$'],
- allowPostUpgradeCommandTemplating: true,
+ allowedCommands: ['^echo {{{depName}}}$'],
+ allowCommandTemplating: true,
exposeAllEnv: true,
localDir: '/localDir',
});
@@ -2069,8 +2069,8 @@ describe('workers/repository/update/branch/index', () => {
GlobalConfig.set({
...adminConfig,
- allowedPostUpgradeCommands: ['^echo hardcoded-string$'],
- allowPostUpgradeCommandTemplating: true,
+ allowedCommands: ['^echo hardcoded-string$'],
+ allowCommandTemplating: true,
trustLevel: 'high',
localDir: '/localDir',
});